CISA’s addition of CVE-2025-60710 to the Known Exploited Vulnerabilities list makes a previously theoretical Windows Task Host privilege escalation a present operational threat: federal agencies have two weeks under BOD 22‑01 to patch, and all organizations should treat this as a priority where detection will not substitute for patching.

CISA’s designation versus the bug’s mechanics

On April 2026 CISA flagged CVE-2025-60710 as actively exploited and added it to the KEV catalog, triggering the two‑week remediation requirement for U.S. federal civilian agencies under Binding Operational Directive 22‑01. Microsoft issued a patch in late 2025; affected systems include Windows 11 (24H2/25H2) and Windows Server 2025 builds earlier than patched releases (example patched build: 10.0.26100.7462). The designation changes the operational posture from “plan to patch” to “patch now and hunt.”

Local privilege escalation versus remote compromise myths

Recommended Reading

April 2026: Magecart operators hide credit‑card skimmers inside 1×1 SVGs using Magento PolyShell — patches still pre-release

In early April 2026, a Magecart campaign used a tiny, deliberate evasion technique—embedding a base64 JavaScript skimmer in a 1×1 pixel SVG’s onload attribute—to harvest card data from nearly 100 Magento stores while exploiting the PolyShell vulnerability; official Adobe fixes remain in pre-release. What unfolded in early April and why the SVG matters Recommended Reading […]

April 2026: Magecart operators hide credit‑card skimmers inside 1×1 SVGs using Magento PolyShell — patches still pre-release

The vulnerability is a local privilege escalation rooted in improper link resolution (“link following”) inside TaskHost.exe, the Host Process for Windows Tasks. Exploitation needs local code execution but not user interaction—an attacker who already has a foothold (for example via phishing, stolen credentials, or another exploited bug) can escalate to SYSTEM and then perform actions like disabling defenses, establishing persistence, or stealing credentials. It is not a remote code execution (RCE) issue that allows initial remote compromise without prior access; treating it as such would be a dangerous misread.

Signal to hunt for versus noisy telemetry to ignore

Detection should focus on specific, attributable signals rather than generic alerts. Prioritized indicators include anomalous TaskHost.exe behavior (unexpected child processes or COM object use tied to TaskHost), sudden creation or modification of scheduled tasks, and Windows Security event IDs such as 4688 (process creation) and 4697 (service installation). Audit scheduled‑task directories and task definitions in the registry for unauthorized changes; correlate those logs with endpoint telemetry to separate legitimate automation from attacker activity. Relying solely on high‑volume heuristics without baseline context will generate avoidable false positives.

Patch deadline, immediate mitigations, and next checkpoints

With CISA’s KEV listing in April 2026 and the two‑week federal deadline, organizations should aim to deploy Microsoft’s late‑2025 patch immediately. For entities that cannot apply the patch right away, practical mitigations include tightening who can create or modify scheduled tasks, removing unnecessary local admin rights, and hardening NTFS permissions on directories TaskHost touches. These measures reduce the attack surface but do not eliminate the need to patch.

Operational checkpoints and what to monitor next

After patch deployment, make the next checkpoint a telemetry sweep: verify patch levels (compare against Microsoft’s release and the example patched build 10.0.26100.7462), search historical logs for TaskHost anomalies prior to patching, and watch for post‑patch attempts that might indicate attackers testing bypasses. CISA’s KEV listing implies active campaigns—assume some environments have already been probed—and integrate these hunts with incident response so that discovery triggers containment and forensic capture rather than a simple log entry.